SSL certificate chain

So … mysteries solved. I believe.
A few things was wrong for me:
1) I had a catch all virtual host using the same certificate file as main site (configured both with a "invalid" server name and default_server for both HTTP and HTTPS)
2) It seems virtual server is also selected based on CN/SubjectAltName from certificate which I did not know (is this correct? Seem so from my testing)
So I changed the certificate on catch all virtual server to self signed and now everything seems to be ok.
Sorry for taking up your time with my misconfigured server. At least I learned something :)
--
daniel
On 2 sep 2013, at 19:12, Steve Wilson <lists-nginx at swsystem.co.uk> wrote:
> On 2013-09-02 11:59, Daniel Lundqvist wrote:
>> I have, it just says only 1 certificate is provided. Here are the test
>> results:
>>https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu> ...
>> I note that you're using startcom for the certificate, I recall that the intermediate certificate they say to use isn't actually the one provided and had to complete the certificate chain myself.
>>https://www.ssllabs.com/ssltest/analyze.html?d=www.stevewilson.co.uk>> To build up my pem I started with the crt and key, then running "openssl x509 -in cert.pem -noout -text" I was then able to download the correct intermediate using the "CA Issuers - URI" provided in the certificate. Appending this to the pem and retesting. Repeating the process for each certificate until it became valid.
>> Authority Information Access:
> OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca> CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt>> It might be worth checking if your intermediate matches the above sub.class1.server.ca.crt one.
>> _______________________________________________
> nginx mailing list
>nginx at nginx.org>http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4145 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130902/1a9a9c35/attachment.bin>